Professional Documents
Culture Documents
Objectives
Cybersecurity
Information assurance
FQHCs as target
Cyber threats/risks
Vulnerabilities
Countermeasures
Safeguarding
Promoting a culture of
security
Serious Threat
Richard Clarke was famously heard to say, "If
you spend more on coffee than on IT security,
then you will be hacked. What's more, you
deserve to be hacked.
The growing number of attacks on our cyber
networks has become, in President Obamas
words, one of the most serious economic and
national security threats our nation faces.
Economy
.
Defense
Transportation
Medical
Government
Telecommunications
Energy Sector
Critical Infrastructure
Computers/Cable
TV/Phones/MP3/Games
Confidentiality (privacy)
Integrity (quality, accuracy, relevance)
Availability (accessibility)
CIA triad
Internet
In 1995, 16 million users (0.4%)
In 2010, 1.6 billion users (23.5%)
Unable to treat physical and cyber security
separately, they are intertwined.
Information Gathering
.
Attack Trends
Increasing sophistication
Decreasing costs
Increasing attack frequency
Difficulties in patching systems
Increasing network connections,
dependencies, and trust relationships
Misuse
Disasters
Data interception
Computer theft
Identify/Password theft
Malicious software
Data theft/corruption
Vandalism
Human error
Threats
A threat is any potential danger to
information and systems
3 levels of cyber threats
Unstructured
Structured
Highly structured
Unstructured Threats
Individual/small group with little or no
organization or funding
Easily detectable information gathering
Exploitations based upon documented
flaws
Targets of opportunity
Gain control of machines
Motivated by bragging rights, thrills, access
to resources
Structured Threats
Well organized, planned and funded
Specific targets and extensive information
gathering to choose avenue and means of
attack
Goal-data stored on machines or machines
themselves
Exploitation may rely on insider help of
unknown flaw
Target drives attack
Organized crime/black hat hackers
Web as Weapon
Gray Hats
Adrian Lamo
Find vulnerabilities, inform company
WorldCom, Google, NYTimes, Bank of America,
NASA
NYTimes used SSN # as passwords
Edited Yahoo Story
Robert Lyttle
DoD, Pentagon
Both got into trouble!
2600 Hz Tone
Captain Crunch Whistle & 4th E above Middle C
Long whistle reset line, then dial w/whistle
Tricked phone companies/tone dialing
Free long distance and international calls
Risk
Threat + Vulnerability
Likelihood of an undesirable event
occurring combined with the magnitude of
its impact?
Natural
Manmade
Accidental or Intentional
People are the weakest link
Risk Management
Identifying and assessing risk, reducing it
to an acceptable level and implementing
mechanisms to maintain that level
Protect against:
Physical damage
Human error
Hardware failure
Program error
Cyber attack
Recovery Strategy
A recovery strategy provides direction to
restore IT operations quickly and
effectively
Backup methods
Alternate sites
Equipment replacement
Roles and responsibilities
Cost considerations
BCP
A comprehensive written plan to maintain
or resume business operations in the event
of a disruption
Continue critical business operations
Jeopardize normal operations
Most critical operations
May require alternate sites (hot, warm,
cold)
What do we need to KEEP going?
DRP
A comprehensive written plan to return
business operations to the pre-disruption
state following a disruption
Restore IT functions (prep and restore)
Jeopardize the normal operations
Includes all operations
RETURN TO NORMAL BUSINESS
OPERATIONS
WHAT DO WE NEED TO DO IN CASE
OF A DISASTER?
Personal Security
Practices established
.
to ensure the safety
and security of
personnel and other
organizational assets
Its ALL about people
People are the weakest
link
Reduce vulnerability
to personnel based
threats
Social Engineering
Being fooled into giving someone access
when the person has no business having the
information.
P&P
Acceptable use policy-what actions users
may perform while using computers
Personnel controls-need to know,
separation of duties
Hiring and termination practicesbackground checks, orientation, exit
interview, escorting procedure
Toll fraud
Disclosure of information
Unauthorized access
Traffic analysis
Denial of Service (DoS)
Data Networks
For computers to communicate
Less expensive to use same network
Modems designed to leverage this asset
Modem Threats
Unauthorized and misconfigured modems
Authorized but misconfigured modems
Wardialing
Hackers use a program that calls a range of
telephone numbers until it connects to an
unsecured modem and allows them dialup
access
Identify potential targets
Policy
Scanning
Administrative action
Passwords
Elimination of modem connections
Use a device to protect telephony-based
attacks and abuses
Less expensive
Increased functionality
Flexibility and mobility
Service theft
Eavesdropping
Vishing
Call tampering
Physical control
Authentication and encryption
Develop appropriate network architecture
Employ VoIP firewall and security devices
Data Networks
Information gathering
Denial of Service (DoS)
Disinformation
Man-in-the-middle
Session hijacking
Sniffing
A sniffer is a program that monitors and
analyzes network traffic and is used
legitimately or illegitimately to capture data
transmitted on a network
Man-In-The-Middle Attacks
Instead of shutting down target networks,
attackers may want access
Access information between authorizes
parties and observes it
Uses a sniffer and gains information
Digital wiretapping
Types of attacks
Eavesdropping
Session hijacking
Sniffing Countermeasures
Other Countermeasures
Encrypted session negotiation (ensure
handshake process)
Repeating credential verification during the
session (kick out hijackers)
Partitions
User training (all personnel can understand
security)
Defense-In-Depth
Defense-in-depth is an information
assurance (IA) strategy in which multiple
layers of defense are placed throughout an
information technology (IT) system.
It addresses security vulnerabilities in
personnel, technology and operations for
the duration of the system's life cycle.
Router security
Demilitarized Zone
Bastion host
Firewalls
Intrusion Detection Systems
Intrusion Prevention Systems
Virtual Private Network
(Defensive technologies)
Routers
First line of perimeter defense
Connects external environment to internal
network
Securely configured
Audit regularly
Keep patched and updated
DMZ
Machine or machines accessible by the
Internet, but not located on the internal
network or the Internet
Web server
Email server
Should not contain much valuable data
IDS sensor to detect malicious traffic
Firewalls
Control connections from one network (or portion
of network) to another (restrict Internet access)
Enforce security policy
Hardware or software
Firewalls DO NOT monitor connections not
passing directly through itnot a magic bullet
Even perfectly configured is still vulnerable
Packet filtering
Proxies
Stateful inspection
Wireless Technology
Allows
communication
between multiple
systems/devices
without physical
connection
Much less expensive
than wired solutions
WLAN
Default Settings
Many access points arrive with no security
mechanism in place
Changing the default settings before
deployment should be a matter of
organizational practice
Authentication Issues
Open system-SSID, subject to sniffing
Shared key-SSID plus WEP encrypted key
required, subject to man-in-the middle
attacks
Many wireless networks do not contain
adequate authentication mechanisms
Both Open and Shared are considered weak
Authentication Issues
WEP standard proven
insufficient
Replaced with Wi-Fi
Protected Access
(WPA)
WPA demonstrates its
own weaknesses
Replaced by WPA2
which is viewed as
more secure
Bluetooth Security
Popular short-range technology
Used for many personal electronic devices
including phones, music players, etc.
Threats
Bluejacking-sending unsolicited messages to
Bluetooth devices
Bluesnarfing-unauthorized access of information
from a wireless device through a Bluetooth
connection
Bluebugging-unauthorized control of Bluetooth
assets
Operating System
A program that acts as an intermediary between a
computer user and the computer hardware
GUI Graphical User Interface
Process management
Main memory management
File management
I/O system management
Secondary storage management
Network management
Protection system management
User interface management
Access Control
Verifying the identity of entities before
granting access and restricting access
Controls how users and systems
communicate and interact with other
systems and resources
First line of defense
Authenticate before allowing access to
authorized resources
Policies, locks, passwords
Social media policies??
Auditing
A trail to follow
Creation of logs
A log is a record of
events or activities
that occur
Detectable events
Collect and save in
secure information
Analyze results
Threats to OS
The basic problem with OS and computers
is that a system allows unauthorized users
to compromise the system to gain
unauthorized access to system resources
Weak/Broken identification
Weak internal security structures
Programming errors in operating system
Implementing Policies
The whole access control process is driven
by policies and procedures
One part of the implementation is policies
is to implement a password policy that
makes it less likely that an attacker can
break into computer systems by
compromising a password
Password Policy
What makes a good
.
password policy?
New password
Reuse of old passwords
Length of validity
When can it be changed
Minimum length of
password
Complexity requirements
Should password be stored
Specific OS Attacks
Dos: attack on availability, consume resources
Hack: exploit a vulnerability to gain unauthorized
access to the system
Backdoor: An access method that bypasses the
normal security of the system
Memory issues: Memory is not erased before
given to another program
Escalation of privileges: user exploits
vulnerability to gain unauthorized access
Default settings: most OS ship with simplest
configuration, security disabled
Securing Systems
Perform system hardening
Find out what vulnerabilities are still
present
Fix them
Countermeasures: DoS
Set network and host firewall filters for
known bad traffic
Apply OS patches for know vulnerabilities
Limit time and resources to processes
Monitor for threat activity on the network
and host using IDS
Detect and block
Countermeasures: Backdoor
XSS Countermeasures
Software bug
Install latest updates and Service Packs
Disable scripting and ActiveX (Drive by)
Configure application securely
Use alternate, safer applications
Drive by Download
Drive by Download is an unintended download of
computer software from the Internet:
1. Downloads which a person authorized but
without understanding the consequences (e.g.
downloads which install an unknown or
counterfeit executable program, ActiveX
component, or Java applet).
2. Any download that happens without a person's
knowledge.
3. Download of spyware, a computer virus or any
kind of malware that happens without a person's
knowledge.
andy
helen2008
Computer
Jonas_Puente
marykay
htimsnosaj
b1@nc@&l33
cold*beer
020973
n1h0nj1n
*pdbmc12
Spoofing
A situation in which a person/program
successfully masquerades as another by
presenting false information.
Virus
Individual programs
that propagate by first
infecting executable
files or the system and
then makes copies of
itself.
Can operate without
your knowledge (visit
website, you open
attachment).
WE OPEN IT
Worm
Designed to replicate and spread from
computer to computer (attach to file and
run on their own)
WE DONT HAVE TO OPEN IT
Trojan Horse
Designed and written like normal programs
but have hidden code that can compromise
your system from remote user/computer.
Logic/Time Bomb
Program that lies dormant until it is
activated by something (date, message).
Spyware
Computer software that gathers information
about a computer user and transmits it
without your knowledge (benign or
malignant, websites or credit card
information).
Adware
Advertising supported software in which
advertisements are displayed while the
program is running.
Malware Goals
Malicious code threatens three primary security goals:
Confidentiality: Programs like spyware can capture
sensitive data while it is being created and pass it on to an
outside source.
Availability: Many viruses are designed to modify
operating system and program files, leading to computer
crashes. Internet worms have spread so widely and so
quickly that they have overloaded Internet connections
and email systems, leading to effective denial-of-service
attacks.
Integrity: Protecting information from unauthorized or
inadvertent modification. For example, without integrity,
your account information could be changed by someone
else.
Password policies
Backup
Cryptography
Spoofing countermeasures
Malware detection and prevention
Password Policies
History- 10 passwords
Backup
Copying files to a second medium for later
retrieval as a precaution in case the first medium
fails
Perform frequently
Keep in a separate location
93% of companies that lost their data center for
10 days or more due to a disaster filed for
bankruptcy within one year of the disaster
50% of businesses that found themselves without
data management for this same period filed for
bankruptcy immediately
Spoofing Countermeasures
Practice safe email usage and web surfing
Attend security awareness training
Malware Countermeasures
Only run software you can trust
Install antivirus software
Scan file attachments with antivirus
software before opening
Verify critical file integrity
BACKUP
EHR
Advantages
Reduction of cost
Improve quality of
care
Promote evidencebased medicine
Record keeping and
mobility
Disadvantages
Costs
Time
Possible Issues
Unauthorized users can compromise
integrity and confidentiality
Unauthorized access to computer networks
Password protection (hacks and policies)
Subversive software (malware)
Disaster
Data breaches
Theft
Lost devices
Social networking
Examples of PII
Name
Date of birth
Biometrics
Mailing address
Phone #
Email address
Zip code
Account numbers
License information
Social Security #
Place of birth
License plate
Photos
Sensitive Data
Data Segmentation
Safeguarding PII
Store sensitive information in a room or area that has
access control measures to prevent unauthorized access by
visitors or members of the public (e.g., locked desk
drawers, offices, and file cabinets)
Never email sensitive information to unauthorized
individuals.
Never leave sensitive information on community printers
Take precautions to avoid the loss or theft of computer
devices and removable storage media
Destroy all sensitive information by appropriate methods
(paper shredder) when it is no longer needed
Notify your immediate supervisor if you suspect or
confirm that a privacy incident has occurred
In Summary
Identify vulnerabilities
Human error is biggest threat
Fix vulnerabilities (patches, etc.)
Have policies and procedures
Computer maintenance program
Educate staff
Stay informed of latest and greatest
References
Voice & Data Security: An Introduction to
Information Assurance (FEMA/DHS)
IS 906: Workplace Security Awareness
(FEMA)
EHR PPT, Nina Robinson, NJPCA